Content-Types only fetchable as SuperUser - hinders usage of Object-Changes

[moonrail]

NetBox version

v3.1.6

Python version

3.9

Steps to Reproduce

1. Create/Have a User
2. Do not grant the User SuperUser-Permissions via according flag in Admin-Backend
3. Grant the User permissions on everything (just for this test)
4. Log in as the User
   5.1 Try to access /extras/changelog/
   5.2 Try to access /api/extras/content-types/

Expected Behavior

5.1 should show changes without errors, as the User has Permissions on Extras > object change
5.2 should return all Content-Types, a User can use (used e.g. by the Frontend to provide Filters on Changelog)

Observed Behavior

5.1 raises an error, that content-types cannot be fetched. Object-Changes are visible, but Content-Type-Filtering is not possible
5.2 raises an HTTP 403

The only workaround is, to grant the User SuperUser-Permissions via Flag in Admin-Backend.
Obviously this workaround should not be used.

[jweiher]

Hi,

i investigated this issue a bit and the core of the problem seems to be that it is not possible to specify permissions for this, but the api view [1] seems to end up here:
https://github.com/encode/django-rest-framework/blob/master/rest_framework/generics.py#L99
Where the permissions are checkend and a 403 is raised if none is found.

I dont see any good point for checking the permissions on the content type anyways, so I would suggest to allow access to this when the user is logged in...

-- Jan

[1]

netbox/netbox/extras/api/views.py

Line 381 in dd71942

class ContentTypeViewSet(ReadOnlyModelViewSet):